Cloudy Compliance

Could this scenario apply to your organization? You take compliance seriously. Departments define business processes through policies and procedure documents. The procedures include controls to assure compliance. Internal and external teams audit the processes and test the controls. Accordingly, IT has defined clear procedures for granting external users access to content owned by the organization. All is well.

However, some users find these procedures onerous. So without informing IT, they turn to the cloud, create their own accounts on a free cloud-based content management service, and begin bypassing procedures.

The legal department knows nothing of this content. If the organization were involved in litigation and forced to put a hold on materials, content located in the cloud would escape its attention. Retention and other information management policies do not encompass this rogue content. It exposes the organization to unconsidered risks and vulnerabilities.

As the cloud opens up functionality to users that once would have required IT intervention, organizations need to consider how to either bring these technologies into compliance or stop users from accessing them.

Organizations might choose to extend the policies that have been placed on the use of personal email accounts from within the network and just block access. But while it could easily be argued that personal email serves a personal purpose and so blocking it makes sense, the same is not so obvious for other cloud services. If users have turned to the cloud to perform critical work, it’s not so easy to just block it without providing an alternative.

As a first step, do not take for granted that users in your organization are not storing content in the cloud. Ask and check the logs.

How has your organization dealt with this challenge? Share your comments.

I'm the Director of Threat Solutions at Shape Security, a top 50 startup defending the world's leading websites and mobile apps against malicious automation. Request our 2017 Credential Spill Report at ShapeSecurity.com to get the big picture of the threats we all face. See my LinkedIn profile at http://www.linkedin.com/in/jamesdowney and follow me on Twitter at http://twitter.com/james_downey.

Posted in Cloud Computing

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: